Gratis scannen
Analyse in behandelingCVE-2026-42062

CVE-2026-42062: Command Injection in ELECOM WRC-BE72XSD-B

Platform

linux

Component

elecom-wrc-be72xsd-b

Bekijk op NVD
Opslaan

CVE-2026-42062 describes a critical command injection vulnerability discovered in the ELECOM WRC-BE72XSD-B Wireless LAN Access Point. This flaw allows an attacker to execute arbitrary operating system commands without authentication, potentially leading to complete system takeover. The vulnerability affects versions 1.1.0 through v1.1.1. A fix is pending from ELECOM.

Impact en Aanvalsscenarioswordt vertaald…

The impact of this vulnerability is severe. Because no authentication is required, any attacker with network access to the access point can exploit it. Successful exploitation allows an attacker to execute arbitrary OS commands on the device, effectively gaining complete control. This could involve installing malware, stealing sensitive data (configuration files, user credentials stored on the device), modifying system settings, or using the access point as a pivot point to attack other systems on the network. The blast radius extends to any systems accessible from the compromised access point, making it a high-priority security concern.

Uitbuitingscontextwordt vertaald…

The vulnerability was publicly disclosed on 2026-05-13. Exploitation probability is currently assessed as medium due to the ease of exploitation and lack of authentication. No known active campaigns targeting this vulnerability have been reported, but the lack of authentication makes it a prime target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for updates.

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend
CISA KEVNO
InternetblootstellingHoog
Rapporten2 dreigingsrapporten

CISA SSVC

Exploitatienone
Automatiseerbaaryes
Technische Impacttotal

CVSS-vector

DREIGINGSINFORMATIE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHoe de aanvaller het doel bereiktAttack ComplexityLowVereiste omstandigheden om te exploiterenPrivileges RequiredNoneVereist authenticatieniveau voor aanvalUser InteractionNoneOf het slachtoffer actie moet ondernemenScopeUnchangedImpact buiten het getroffen onderdeelConfidentialityHighRisico op blootstelling van gevoelige dataIntegrityHighRisico op ongeautoriseerde gegevenswijzigingAvailabilityHighRisico op verstoring van dienstennextguardhq.com · CVSS v3.1 Basisscore
Wat betekenen deze metrics?
Attack Vector
Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
Attack Complexity
Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
Privileges Required
Geen — geen authenticatie vereist om te exploiteren.
User Interaction
Geen — automatische en stille aanval. Slachtoffer doet niets.
Scope
Ongewijzigd — impact beperkt tot het kwetsbare component.
Confidentiality
Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
Integrity
Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
Availability
Hoog — volledige crash of uitputting van resources. Totale denial of service.

Getroffen Software

Componentelecom-wrc-be72xsd-b
LeverancierELECOM CO.,LTD.
Minimumversie1.1.0
Maximumversiev1.1.1 and earlier

Zwakheidsclassificatie (CWE)

CWE-78

Tijdlijn

  1. Gereserveerd
  2. Gepubliceerd

Mitigatie en Workaroundswordt vertaald…

Given the lack of a currently available patch, immediate mitigation steps are crucial. Implement strict network segmentation to isolate the WRC-BE72XSD-B access point from critical systems. Consider using a Web Application Firewall (WAF) or proxy server to filter incoming requests and block those containing suspicious characters or commands in the username field. Monitor network traffic for unusual activity, particularly attempts to execute commands. Regularly review access point configurations and disable any unnecessary services. Once ELECOM releases a patch, apply it immediately. After upgrade, confirm by attempting a command injection attack via the username parameter; it should be rejected.

Hoe te verhelpenwordt vertaald…

Actualice el firmware del dispositivo WRC-BE72XSD-B a una versión corregida. Consulte el sitio web de ELECOM para obtener más información y las actualizaciones de firmware disponibles: https://www.elecom.co.jp/news/security/20260512-01/

Veelgestelde vragenwordt vertaald…

What is CVE-2026-42062 — Command Injection in ELECOM WRC-BE72XSD-B?

CVE-2026-42062 is a critical command injection vulnerability affecting the ELECOM WRC-BE72XSD-B Wireless LAN Access Point. It allows attackers to execute arbitrary OS commands without authentication, potentially leading to complete system compromise.

Am I affected by CVE-2026-42062 in ELECOM WRC-BE72XSD-B?

You are affected if you are using the ELECOM WRC-BE72XSD-B Wireless LAN Access Point with firmware versions 1.1.0–v1.1.1 or earlier. Immediate action is required.

How do I fix CVE-2026-42062 in ELECOM WRC-BE72XSD-B?

Upgrade to a patched version of the firmware as soon as it becomes available from ELECOM. Until then, implement network segmentation and WAF rules to mitigate the risk.

Is CVE-2026-42062 being actively exploited?

While no active campaigns have been reported, the ease of exploitation and lack of authentication make it a likely target for opportunistic attackers. Continuous monitoring is recommended.

Where can I find the official ELECOM advisory for CVE-2026-42062?

Please refer to the ELECOM website and security advisories for the latest information and patch releases regarding CVE-2026-42062. Check their support pages for updates.

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannenCVEs zoeken
livefree scan

Probeer het nu — geen account

Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.

Manual scanSlack/email alertsscanZone.capMonitorWhite-label reports

Sleep uw afhankelijkheidsbestand hierheen

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...